Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
5
Replies

ISE Tacacs unknow device error with fortigate

Go to solution
Slerouge
Level 1
Level 1

‎05-23-2025 07:54 AM

Hello,

I'm using ISE 3.3.0.430

I have a few fortigates firewalls and I want to use TACACS to authenticate users. The TACACS is provided by the ISE.
For 4 of them, there are no issues at all but for the last one, the connection fail.

In the TACACS live logs, I can see the following error : "13017 Received TACACS+ packet from unknown Network Device or AAA Client". The log also show the source IP which is exactly the same that is configured in the network device.

I tried to recreate the network device, recreate the TACACS profile on the fortigate, change the secret but nothing's working.

Do you have any ideas what's going on ? Haven't tried to restart the service or the ISE as it a critical process.

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Slerouge
Level 1
Level 1

‎05-28-2025 06:53 AM

I feel a bit stupid on that but my ISE is setup in a cluster and the firewalls are configured to reach the secondary node.
However, at some point the synchronization stopped between primary and secondary, so the last firewall profile was not replicated to the secondary node explaining the issue

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎05-27-2025 03:03 PM

I would have also tried the same things as you already described.

The fact that ISE says it's an unknown Network device makes me want to start a tcpdump on the ISE TACACS node and then analyze in Wireshark. To get the full experience, you should also decode the TACACS packets in Wireshark by providing Wireshark with the TACACS key (Edit -> Preferences -> Protocols -> TACACS+) - just remember to remove the key after your analysis - you don't want that hanging around in Wireshark in clear text.

Compare that with a working scenario - maybe you'll see some clues. Check the TCP layer also (don't just filter on "tacplus")

If you created the Network Device entries the same way as the other four working cases, then there should be no issue in ISE. 

In my experience, rebooting ISE nodes hardly ever changes Policy Set processing behaviour. But that would be an option if the Wireshark doesn't reveal any differences.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎05-28-2025 01:39 AM

Did you configure each of these five firewalls with their individual IP addresses (/32) or did you use any wider notation?

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎05-28-2025 05:00 AM

Why use TACACS+ at all? Why not use SAML instead to your IdP of choice?

0 Helpful

Go to solution
Slerouge
Level 1
Level 1

‎05-28-2025 06:53 AM

I feel a bit stupid on that but my ISE is setup in a cluster and the firewalls are configured to reach the secondary node.
However, at some point the synchronization stopped between primary and secondary, so the last firewall profile was not replicated to the secondary node explaining the issue

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Slerouge

‎05-30-2025 09:28 AM

No worries, glad to know that the issue is now fixed.

0 Helpful
Customers Also Viewed These Support Documents